The phrase Internet of Things (IoT) refers to physical objects, devices or “things” embedded with electronics, software and the ability to connect to the Internet. The connectivity permits the implementation of systems that monitor and control an activity. By way of example, multiple pumps in a nuclear power plant may be controlled (turned on/off or throttled) based on a number of factors such as the desired power level, coolant temperature, and the operation of other pumps within the coolant loop. Thus, not only can single sensors (e.g., a light sensor) or actuators (e.g., a light switch) be controlled in this way, but collections of sensors and actuators may be designed to function as a unit, where inter-device communication is operationally beneficial or necessary.
The Internet, in contrast, was designed to facilitate host-to-host communication. Within such an environment, traditional approaches to provisioning involve the use of trusted third parties such as manageability services, key management services and access management services. Recent trends in cloud computing have exacerbated this shift toward centralizing many security provisioning services. Centralized services represent a single point of failure for safety critical cyber-physical systems (think pump controllers in a nuclear power plant and health monitoring systems in a hospital). Centralized security provisioning services also imply a trust relationship is required between IoT devices and the central entity. Such centralization of trust represents a fallacious expectation that such an entity can operate without conflicts of interest and without increasing the device's attack surface exposure. Such assumptions may not be appropriate for many IoT systems.